As further evidence of the varied and complex layers that exist in privacy, this week’s Privacy Tracker legislative roundup includes both limitations and expansions on privacy protections across the globe. The Court of Justice of the EU last week decided Google needed to stop indexing personal information upon request, which some see as a blow to people’s right to information, while in the U.S., California’s Court of Appeal protected the identity of an anonymous commenter to a music site—a decision some may claim tips the scale in the same way. Meanwhile, the U.S. Justice Department wants the ability to hack into computers during criminal investigations, and the Pennsylvania Supreme Court has ruled to allow warrantless vehicle searches by police with probable cause.
California Court Protects Anonymous Commenter
In the case of Digital Music News LLC v. Superior Court , the California Court of Appeal has decided to deny a request to reveal an anonymous commenter’s identity. The Washington Post reports that the court said the discovery wasn’t relevant to the state court infringement action, noting that even if it was, the court would have to deem that the need for discovery was “so strong as to outweigh the privacy right when these two competing interests are carefully balanced.” Judge Victoria Chaney wrote in the decision, “Such commentary has become ubiquitous on the Internet and is widely perceived to carry no indicium of reliability and little weight. We will not lightly lend the subpoena power of the courts to prove, in essence, that Someone Is Wrong On The Internet.”
Delaware Considering Bill To Give Login Credentials to Deceased’s Relatives
A bill in front of the Delaware legislature would mean login credentials of deceased individuals would be passed on to their heirs as part of their estate, reports WILM. The bill would require tech companies to treat heirs as the account holder.
Missouri Puts Electronic Privacy To Citizen Vote
The Missouri House has voted to advance to voters the question of whether law enforcement must obtain a warrant prior to accessing citizens’ electronic information and communications, the Associated Press reports. If passed, the state would amend its constitution to include “electronic communications and data” to the list of items protected from unreasonable search and seizure. (Registration may be required to access this story.)
Pennsylvania Court Okays Warrantless Vehicle Search; Committee Passes Secret Compartment Bill
In a 4-2 decision, the Pennsylvania Supreme Court has ruled that police can search vehicles without a warrant—but only with probable cause, reports PA Independent. Justice Seamus McCaffery wrote for the majority, saying, probable cause is “a strong and sufficient safeguard against illegal searches.”
Lawyers Get Creative in Proving Harm; Ninth Circuit Disagrees
In a legal environment where judges are one-by-one dismissing data breach cases due to a failure to prove harm on the side of the plaintiffs, lawyers are becoming more creative, reports Forbes. “For example, some class-action attorneys sue under federal statutes, such as the Wiretap Act and the Stored Communications Act,” the report states. But the Ninth Circuit Court has used a recent case against Facebook and Zynga to remind us that neither act “preclude(s) the disclosure of personally identifiable information; indeed, they expressly allow it.”
Bipartisan Bill Calls for Stronger Protections for Student Data
U.S. Sens. Edward Markey (D-MA) and Orrin Hatch (R-UT) want to prohibit companies from sharing students’ personal data when advertising their products or services, PC World reports. The senators’ proposal would regulate the use of student data by private companies and require organizations that store student data to implement safeguards. The draft proposal, called the Protecting Student Privacy Act, follows complaints by advocates that the provisions within the Family Educational Rights and Privacy Act (FERPA) of 1974 are weakened by schools’ outsourcing of data processing.
DoJ Seeks Broad Investigatory Computer Hacking Rights
The U.S. government is seeking to expand the Justice Department’s ability to hack into computers during criminal investigations, Bloomberg reports. A judicial committee is analyzing the proposal, which would give federal agents more broad access to suspects’ computers in bunches rather than one at a time, the report states. A lawyer for the American Civil Liberties Union said, “I don’t think many Americans would be comfortable with the government sending code onto their computers without their knowledge or consent … The power they’re seeking is certainly a broad one.” In a separate issue, the Justice Department does not have to disclose to privacy groups its use of cellphone tracking in cases that do not end in a conviction, according to a Court of Appeals ruling.
The FTC Snapchat Settlement: What It Means for You
Sen. Franken Contacts Samsung Over Data Privacy Concerns
In response to news that researchers were able to hack into the new Samsung Galaxy S5 using the device’s fingerprint scanner, Sen. Al Franken (D-MN) has written the company a letter expressing concern about the phone’s security, CNET News reports. “I am concerned by reports that Samsung’s fingerprint scanner may not be as secure as it may seem,” he wrote, “and that those security gaps might create broader security problems for the S5 smartphone.” Franken also worried about the use of fingerprints in phone authentication. “If hackers get hold of a digital copy of your fingerprint, they could use it to impersonate you for the rest of your life, particularly as more and more technologies start relying on fingerprint authentication.” Meanwhile, TRUSTe announced a partnership with the 2014 UK Mobile & App Design Awards to promote privacy best practice within the mobile industry.
Court Consolidates Target Breach Lawsuits
"The 140-odd lawsuits against Target Corp. regarding last year's data breach came together Wednesday for the first time under one roof, with throngs of lawyers from around the country," Mark Reilly reports for Minneapolis/St. Paul Business Journal. The suits, which include 29 on behalf of financial institutions, “were consolidated into three groups before U.S. District Judge Paul Magnuson on May 14,” BankInfoSecurity reports. Meanwhile, StarTribune reports on Target's new ad campaign aimed at "building customer trust following the data breach," and Mondaq examines the recent departure of Target’s CEO, suggesting, “He may be the first CEO of a major corporation to lose his job as a result of a data breach—but he will not be the last.” Breaches are bringing “greater attention to recommendations … by the Obama administration outlining voluntary national cyber security practices,” InformationWeek reports.
DoE Releases FERPA FAQ; School District Under Fire
The U.S. Department of Education (DoE) has released a 14-page list of commonly asked questions amidst calls for revisions to the Family Educational Rights and Privacy Act, which prohibits the disclosure of students’ personally identifiable information to third parties without written parental consent, Politico reports. “I don’t think it’s necessarily an easy decision, what is and what is not the ‘educational record’ … It’s very contextual. A lot of metadata won’t fit as an educational record,” said DoE CPO Kathleen Styles. Meanwhile, a nonprofit that promotes voucher programs has filed a complaint against an Ohio school district in the state’s Supreme Court claiming the district has refused to release student names and addresses although it has given that information to other organizations.
Commissioners Issue New Consent Guidelines
The Office of the Privacy Commissioner and the Offices of the Information and Privacy Commissioners of British Columbia and Alberta have issued new guidelines for online consent aimed at helping organizations better understand the importance of transparent online privacy practices. “The online world is creating new challenges for privacy transparency and meaningful consent. This environment is so fast-paced and complex that traditional methods of informing people about privacy issues and seeking consent may fall short,” explained Interim Privacy Commissioner of Canada Chantal Bernier, adding, “It is important for online organizations to take a thoughtful, creative approach to providing privacy information to Canadians.”
Court Ruling Makes Right To Be Forgotten a Reality
In what many are calling an historic decision, the European Union’s highest court has ruled that Google must provide users, in certain instances, with a right to delete links about themselves, including in some cases, public records. The European Court of Justice has said the automatic indexing of information that contains personal data “must be classified as ‘processing of personal data’” and that “the operator of the search engine must be regarded as the ‘controller’ in respect to that processing” and “is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person,” even “when its publication in itself on those pages is lawful.” This exclusive for The Privacy Advisor looks into the ruling and reactions from across the privacy spectrum.
Analysis of ECJ Ruling Against Google
“In a landmark ruling the European Court of Justice (ECJ) today ruled that search engines, as a principle, need to remove the link between search results and a webpage if it contains information the individual deems should be ‘forgotten.’” In this Privacy Tracker post, DLA Piper’s Patrick Van Eecke analyzes the case and the ECJ’s decision, notably, that “Google is not a mere processor but also a controller of personal data on third-party web pages, because it is Google that decides upon the purposes and the means of the indexing activity.” The decision may have broad implications for “any service that uses third-party data sources containing personal data,” especially in light of the new Data Protection Regulation, in which the “right to erasure is defined even more broadly.” (IAPP member login required.)
Reaction Roundup: Will ECJ Decision Threaten the Web?
The ripples continue from Tuesday’s European Court of Justice decision on Google and the right for individuals to have links to personal data that is indexed online removed. In a USA Today report, Future of Privacy Forum Cofounder Jules Polonetsky, CIPP/US, discusses the decision, saying, “It sounds like it’s just about Google, but it’s really actually threatening to much of the Internet,” adding, “It’s a real blow to transparency if legal, public information can be obscured simply because somebody decides that it’s information they’d rather not be available.” Others, however, expressed support for the ruling. This roundup for The Privacy Advisor brings together some of the reactions.
Editor's Note: the IAPP will host the web conference "The ECJ Google Decision: What Will the Impacts Be? on May 30.
Falque-Pierrotin: U.S. Tech Biz Too Big for Single EU DPA
Bloomberg reports on comments by Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin, saying U.S. technology giants are too big for single DPAs alone or in small groups. It would be a negative development if EU rules meant that “two or three countries take the lead on dealing with the big players and the others watch the trains go by,” she said, adding, “There has to be more substantial consultation between the authorities on topics such as Google or Facebook.” Wilson Sonsini’s Christopher Kuner said, “Developing a coherent one-stop shop is the main stumbling block for approval of the regulation … It’s one … of the most important elements of the proposal.” Luxembourg’s DPA said, “With such big players whose data treatment has an effect on many countries, there has to be more intense cooperation between the authorities.”
Australian Government’s Budget Disbands OAIC
The Office of the Australian Information Commissioner (OAIC) has been overhauled in Australia’s 2014 budget with the disbanding of the OAIC and the reallocation of its tasks to other government agencies, ZDNet reports. As of 1 January, the OAIC will no longer exist as its own entity, and its 63.3 internal staff and additional external staff members will be redistributed among other government agencies. Privacy law will be administered by Privacy Commissioner Timothy Pilgrim from a Sydney office, the report states, and the OAIC will no longer advise on information policy. Australian Information Commissioner John McMillan, Freedom of Information Commissioner James Popple and Privacy Commissioner Timothy Pilgrim have issued a statement acknowledging the government’s decision and highlighting the OAIC’s achievements since its inception in 2010. In the midst of this news, the OAIC had announced privacy complaints are expected to increase by more than 100 percent over last year.
If you want to comment on this post, you need to login.